2008/3/30, Marcus Meissner
On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)
Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is "2,1". <==
This is already done for 10.3 and newer ... They only have 2 as default.
Cool
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Probably...
Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea.
Ciao, Marcus
Regards, Ciro --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org